Biennial Report:

System of Internal Controls

and Internal Auditing

in Executive Agencies

January 2011

Table of Contents

Introduction

Internal Control and Accountability Unit Mission and Strategies

Control Environment – An Indication of Overall Internal Control Health

Audit Report Monitoring

Internal Audit Efforts

Introduction

The Internal Control and Accountability Unit was formed as a result of Minn. Stat. Section 16A.057, passed by the 2009 Legislature. By statute, the unit coordinates the design, implementation, and maintenance of an effective system of internal controls and internal auditing for all executive branch agencies.

This report provides background on our purpose and strategies, as well as on the status of agency internal controls. We are pleased to present this report on the State of Minnesota’s system of internal controls and internal auditing for 2009 and 2010.

Internal Control and Accountability Unit Mission and Strategies

The primary mission of the Internal Control and Accountability Unit is to improve internal controls throughout state government. The unit has the following statutory responsibilities:

  • Adopt statewide internal control standards and policies
  • Coordinate executive branch agency internal control training and assistance
  • Promote and coordinate the sharing of internal audit resources
  • Monitor Office of the Legislative Auditor (OLA) reports and corresponding corrective action plans; and
  • Make biennial reports on the system of internal controls and internal auditing in executive branch agencies

The Internal Control and Accountability Unit uses multiple strategies to promote internal controls. Through its activities, the unit translates theoretical internal control concepts into practical steps that state agencies can take to strengthen their internal control systems and minimize the occurrence of errors and fraud. The State of Minnesota uses theInternal Control—Integrated Framework (often referred to as COSO) as a standard way of describing and discussing internal control. The COSO framework is well-established and is used nation-wide by both for-profit and governmental entities, as well as their auditors, to document and assess internal controls.

The unit’s major accomplishments over the past two years include the following:

  • Development of a control environment self-assessment tool.Control environment is the foundation of an effective internal control structure, setting the tone of the organization and influencing the control consciousness of its people. The self-assessment tool helps agency management measure their agency’s internal control fundamentals.
  • Implementation of the Code of Conduct policy.The unit managed the implementation of the state’s new code of conduct policy for executive branch employees with accounting, auditing, financial reporting, or tax filing duties. All executive branch departments and boards adopted the code of conduct and more than 8,900 state employees were trainedand completed certification of their commitment to comply with the code’s policy provisions.
  • Publication of risk assessment guidance and examples.The skill to perform and document risk assessments is a key component of a mature internal control structure. The unit developed extensive guidance on risk assessments, which executive branch agencies will use to identify vulnerabilities and formulate actions to mitigate these risks. The unit also partnered with agency staff to perform pilot risk assessments on selected business processes, applying the new guidance.
  • Monitoring of Office of the Legislative Auditor (OLA) reports.The unit monitors OLA financial audit reports and corresponding agency corrective action plans. This includes attending OLA exit conferences and tracking the status of all unresolved OLA audit findings.
  • Coordination of state internal audit efforts.To support the state’s internal audit offices, the Internal Control and Accountability Unit facilitates a statewide internal audit roundtable. The group meets regularly to discuss internal control and internal audit issues, provide networking opportunities, and share ideas and best practices.
  • Distribution of monthly internal control bulletins.The unit’s monthly control bulletins have a distribution list of over 650, including state employees, legislators, and interested parties outside of state government. Recent bulletins discussed topics such as the state’s code of conduct, fraud, information system access, and effective communication. The bulletin is a monthly reminder of each person’s responsibilities to foster sound internal controls.
  • Review of American Recovery and Reinvestment Act (ARRA) reporting. Due to the significance and visibility of ARRA funding, the unit reviewed and evaluated two quarters of the state’s federal reporting processes, as well as the state recovery website. The unit also consulted with individual state agency officials concerning their internal controls over ARRA funds.
  • Training and outreach to executive branch state agencies. The unit made numerous presentations to state agency groups, including a four hour seminar on internal controls over financial reporting as part of Minnesota Management & Budget’s Introduction to Minnesota Governmental Accounting Theory and Application in 2010.
  • Expansion of the state’s internal control web presence.The unit has a robust, ever expanding web presence which includes sensible guidance on internal controls, including assessing control environment and performing risk assessments.

Control Environment – An Indication of Overall Internal Control Health

Establishing an organizational culture of honesty, integrity, and ethical behavior is management’s most critical internal control responsibility. As a result, much of the Internal Control and Accountability Unit’s focus over the past two years has been to strengthen the state’s control environment, ensuring that the state has a strong internal control foundation on which to build.

To better evaluate the state’s control environment, the Internal Control and Accountability Unit created a control environment self-assessment tool. To produce the tool, the unit translated theoretical COSO control environment factors into twenty goals that demonstrate sound control environment specifically for the State of Minnesota. For each goal, the tool links related Minnesota statutes, laws, rules, and policies that provide real-life expectations of the state legislature and executive branch management. The tool shows how seemingly disparate state requirements in areas such as budget monitoring, data practices, human resources, and management style all work together to create a wholesome, healthy organization.

The table below shows the state’s twenty control environment goals, as well as the relationship to the COSO framework control environment factors.

Table 1-Control Environment Self-Assessment Tool Goals

  1. Integrity and Operating Style
Goal 1.Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values.
Goal 2.The agency’s positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable.
Goal 3.Management has a sound basis for setting and monitoring budgets and does not pressure employees to circumvent budget statutes, rules and instructions.
Goal 4.The agency provides the legislature and other oversight bodies with timely and accurate information to allow monitoring of agency activities.
  1. Management’s Philosophy and Operating Style
Goal 5.Agency employees have a clear understanding of the organization’s mission, goals, and objectives.
Goal 6.Employees understand how their job duties and responsibilities help to promote a strong internal control environment.
Goal 7.Management looks externally for opportunities to improve the internal control process.
  1. Organizational Structure
Goal 8.The agency’s organizational structure facilitates coordination and flow of information throughout the agency.
Goal 9.The agency is able to maintain its priority services during an event that might threaten to disrupt those services.
  1. Assignment of Authority and Responsibility
Goal 10.The agency assigns authority and delegates responsibility to the proper personnel to achieve the agency goals and objectives.
Goal 11.Management ensures that agency information is appropriately protected against loss, corruption or misuse.
Goal 12.Valuable assets are appropriately safeguarded.
Goal 13.Agency facilities are protected against unauthorized physical access.
  1. Human Resources Policies and Procedures
Goal 14.Agency management strives to recruit and retain competent people to carry out agency mission, goals and objectives.
  1. Commitment to Competence
Goal 15.Management ensures new hires have the appropriate level of knowledge and skills needed to satisfactorily perform their jobs.
Goal 16.New hires are aware of the agency’s mission, goals, objectives and expected ethical behavior. They clearly understand their responsibilities and the expectations of their jobs.
Goal 17.The agency continually seeks to improve or maintain employee knowledge and skills.
  1. Oversight Groups
Goal 18.Management values opportunities to improve internal controls and correct deficiencies.
Goal 19.Management performs top level reviews of actual performance.
Goal 20.The agency actively engages with the legislature, oversight committees and/or oversight boards.

To reinforce the importance of control environment, the governor required cabinet-level agencies to submit a completed copy of the control environment self-assessment tool as part of each agency’s transition materials. This directive allowed existing commissioners to assess the strength of their agencies’ control environments and pass on that knowledge to their successors.

The results of cabinet-level agency control environment evaluations are encouraging. Overall, existing legal and policy requirements have promoted strong control environment practices and, as a result, agency conclusions were generally positive. The summary below shows cabinet-level agency conclusions on control environment as of October 15, 2010.

Figure 1 - Control Environment Results

Goal # / Adequate / Action Needed
1 / 79% / 21%
2 / 50% / 50%
3 / 93% / 7%
4 / 93% / 7%
5 / 86% / 14%
6 / 57% / 43%
7 / 86% / 14%
8 / 71% / 29%
9 / 36% / 64%
10 / 79% / 21%
11 / 50% / 50%
12 / 57% / 43%
13 / 86% / 14%
14 / 64% / 36%
15 / 86% / 14%
16 / 64% / 36%
17 / 43% / 57%
18 / 64% / 36%
19 / 50% / 50%
20 / 86% / 14%

Budget-setting, monitoring, and compliance with budget laws and statutes (Goal 3) was cited most often as being an area of control environment strength. Given the fiscal and budgetary challenges the state faces, it is critical that controls in this area remain strong. Another area of strength was agency relationships with oversight groups (Goal 4).

Cabinet-level agency self-assessments did, however, also highlight some areas where action was needed to strengthen control environment, particularly relating tobusiness continuity (Goal 9) and the improvement of employee knowledge and skills (Goal 17). The Internal Control and Accountability Unit is working with the Office of Enterprise Technology and the Minnesota Management & Budget Human Resource Management Division to provide statewide leadership and help agencies resolve enterprise-wide issues relating to these two goals.

Audit Report Monitoring

The Internal Control and Accountability Unit monitors Office of the Legislative Auditor (OLA) financial audit reports and corresponding agency corrective action plans. The unit’s involvement begins with attending exit conferences between the OLA and agency management. By hearing about the findings directly from the auditors, the unit is better able to consult with agency management, if necessary, to assist them in understanding the audit issues and working toward resolution.

To track and monitor the status of OLA findings, the unit has developed a finding database. Whenever the OLA issues a financial audit report, each finding is classified as to audit type and process area. The chart below shows the distribution of 2009 and 2010 audit findings among the state’s various services. It points out the vast array of state activities and underscores the variety of internal control issues being reported by the OLA.

Figure 2-OLA Audit Findings by Process Area

Process Area / % of Total 2009-2010 Audit Findings
IT / 22%
Non-Grant Disbursements / 17%
Grants / 12%
Reporting / 11%
Multiple Processes / 10%
Payroll/HR / 7%
Non-Grant Receipts / 5%
Employee Reimbursement / 4%
Accounts Rec/Pay / 4%
Contracts / 3%
Capital Assets / 3%
Other / 2%

The database’s classification capabilities allow the Internal Control and Accountability Unit to identify statewide areas of concern, as well as instances where many agencies are being cited for similar issues. The unit is uniquely positioned within Minnesota Management & Budget to research and evaluate commonly occurring issues, and to determine if additional statewide guidance should be issued to help agencies resolve the findings.

The unit updates the status of each unresolved OLA audit finding quarterly. The update process reminds agencies of their responsibilities to review and resolve outstanding audit findings promptly and to provide updates on the status of all unresolved OLA financial audit findings at least every 90 days. The chart below shows the status of 2009 and 2010 audit findings. As can be seen, agencies had resolved about 57 percent of all 2009 and 2010 reported financial audit findingsas of December 31, 2010. Nineteen percent of the findings remain unresolved as of December 31, 2010. This percentage is not unexpected, as some of the more complex audit issues may take months or even years to completely resolve. The unit will continue to monitor the implementation percentages and will assist agencies in determining effective and realistic resolution plans, if needed.

Figure 3- 2009-2010 OLA Findings by Status

Internal Audit Efforts

The state’s internal auditors play a crucial role in promoting sound internal controls throughout the state. There is an increased demand for internal auditors and other internal control experts to train agencies on internal control concepts and help facilitate the formal assessment of the state’s internal control structure. However, there is currently no legal requirement for agencies to employ internal auditors. As a result, internal audit presence within executive branch agencies of the state is uneven, at best.

The chart below shows the extent of internal audit presence among the state’s 17 cabinet-level agencies:

Figure 4 - Internal Audit Presence In Cabinet-Level Agencies

As of December 15, 2010, there were 43 internal audit professionals employed within the executive branch of state government, an increase of six since January 2009. Thirteen state agencies have dedicated internal audit resources, including 10 of 17 cabinet-level agencies. Of the 13 agencies that have an audit function, six of these audit offices were established recently, within the last two years. Agencies have indicated a desire to add additional internal control and/or internal audit professionals in the upcoming months, if resources permit.

In a recent survey, agencies with internal audit functions provided information on the scope of activities performed by the agency’s audit staff. The chart below shows the result of the survey.

Figure 5 - Internal Audit Shop Responsibilities

Internal Audit Shop Responsibility / Percentage of responsibilities
All / 23%
Management Consulting / 77%
Control Structure Documentation / 77%
Risk Assessments / 85%
Financial Statement Audits / 46%
Federal and/or State Compliance Audits/Evaluations / 85%
Information Technology Audits/Evaluations / 38%
Internal Control Audits/Evaluations / 92%

Not surprisingly, survey responses confirmed that most all internal audit offices evaluate and test internal controls, with some also performing risk assessments and creating control structure documentation. Many auditor offices also are providing management consultation, which includes training management and staff on internal control concepts.

One area somewhat lacking is information technology (IT) audit coverage. Only about one-third of agencies with internal auditors reported having IT audit or review activities. This is an area of concern, given state government’s reliance on IT to conduct its day-to-day operations.

A dedicated, independent internal audit function assists management by bringing a systematic, disciplined approach to assessing the effectiveness of the design and execution of the agency’s internal control structure. An objective internal control assessment provides management, the governor, and external stakeholders with independent assurance that the agency’s risks have been appropriately mitigated. Because internal auditors are experts in understanding organizational risks and internal controls available to mitigate these risks, they assist management in understanding these topics and provide recommendations for improvements.

For more information on any of the topics presented in this report, please visit the Internal Control and Accountability Unit’s website(